Windmill CVE-2026-54136
MEDIUMSeverity by source
Network-accessible API requiring a valid scoped token (PR:L); no complexity or user interaction; read-only confidentiality impact with no integrity or availability effect.
Estimated by vuln.today — no official severity rating has been published for this CVE yet.
Lifecycle Timeline
1DescriptionCVE.org
Summary
A resource-scoped API token can read script contents outside its allowed path scope via GET /api/w/{workspace}/scripts/list_search.
This appears to be a remaining variant of the scoped-token authorization class previously addressed for other endpoints. The route-level scope middleware validates the token domain/action, but does not enforce the resource/path segment of a scope. scripts/list_search then returns script path and content for scripts in the workspace without applying per-row path filtering against the token scopes.
Affected endpoint
GET /api/w/{workspace}/scripts/list_search
Affected versions
Confirmed in the current public repository code and believed to affect the latest published release at the time of review:
<= 1.714.1
Patched version: unknown.
Details
Windmill supports scoped API tokens with scopes in the format:
{domain}:{action}[:{resource}]
The parser supports resource-scoped values such as:
scripts:read:f/allowed/*
and the codebase contains helpers for resource matching, including wildcard matching.
However, the route-level scope check used for requests with scoped API tokens only validates the route domain and action. It does not compare the token's resource/path restriction against the requested route or against the rows returned by list endpoints.
For scripts/list_search, the handler returns path and content for scripts in the workspace:
SELECT path, content from script WHERE workspace_id = $1 AND archived = false LIMIT $2
There is no additional check_scopes(...) call in the handler and no per-row filtering based on the token's resource/path scope.
As a result, a token intended to read only scripts under one path prefix may be able to read script contents from unrelated paths in the same workspace.
Source-level reproduction
- Create or use a workspace containing at least two scripts:
f/allowed/script_af/private/script_b
- Create a scoped API token intended to read only the allowed path:
scripts:read:f/allowed/*
- Use that token to call:
GET /api/w/{workspace}/scripts/list_search
- Expected behavior:
The response should include only scripts matching the token's resource scope, e.g. only scripts under:
f/allowed/*
- Actual behavior from source review:
The route-level scope check accepts the request as scripts:read, and the handler returns script path and content for scripts in the workspace without filtering the rows by the token's resource scope.
This can expose script source code from paths outside the token's intended scope.
Impact
A user or integration holding a path-restricted scripts:read:{resource} token may be able to read script contents from unrelated scripts in the same workspace.
Depending on how scripts are used, this may disclose:
- internal automation logic,
- integration details,
- business logic,
- inline configuration,
- accidentally hardcoded secrets or credentials.
This does not require admin privileges. It requires possession of a valid scoped API token for the workspace.
Related context
This appears related to the broader class of issues where route-level token scope enforcement validates domain/action but not the resource/path portion of the scope. Similar scoped-token issues appear to have been fixed for other endpoints, such as resources/variables listing and job preview/run paths, but I did not find an equivalent fix for scripts/list_search.
Suggested fix
Apply resource/path scope enforcement to scripts/list_search.
Possible approaches:
- Add explicit handler-level authorization similar to per-resource endpoints.
- Filter returned rows so that a scoped token only receives scripts whose
pathis included by at least onescripts:read:{resource}scope. - Add regression tests for:
scripts:read:f/allowed/*cannot seef/private/script_b,- broad
scripts:readstill sees all accessible scripts, - unscoped tokens preserve current behavior,
- filter-tag-only tokens preserve current compatibility behavior.
A more defensive long-term fix would be to make route-level scope enforcement aware of resource/path restrictions where the route contains a concrete resource path, while list endpoints should apply per-row filtering.
AnalysisAI
{workspace}/scripts/list_search handler validates the token's domain and action (scripts:read) at the route level but omits per-row filtering against the token's resource/path segment (e.g., scripts:read:f/allowed/*), causing the underlying SQL query to return all non-archived workspace scripts regardless of path restrictions. Affects all Windmill deployments up to version 1.714.1; no public exploit or CISA KEV listing at time of analysis, but full reproduction steps are published in the GitHub security advisory.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires possession of a valid, active Windmill API token that carries a `scripts:read` scope (with or without a resource path restriction) for the target workspace. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No official CVSS score is provided; the assessed vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N places this at approximately 6.5 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker or compromised third-party integration holds a scoped API token legitimately issued as `scripts:read:f/allowed/*` - for example, a CI/CD pipeline permitted to read only deployment scripts. The attacker sends a single authenticated GET request to `GET /api/w/{workspace}/scripts/list_search`; the route-level check accepts the request because the domain (`scripts`) and action (`read`) match, and the handler returns the full path and content of every non-archived script in the workspace, including scripts under `f/private/` and other restricted paths that may contain hardcoded database credentials or API keys. … |
| Remediation | No vendor-released patched version has been confirmed at time of analysis - monitor https://github.com/windmill-labs/windmill/security/advisories/GHSA-2ppx-66jv-wpw5 and the Windmill release changelog for a confirmed fix version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2ppx-66jv-wpw5